Incidents

Mobile Scammers Target Sports Fans

The Olympic Games are a huge event. And scammers are obviously going to try and exploit the interest they generate. We’ve already written about “Olympic” spam mailings. Now, SMS spammers have also appeared on the scene.

On February 10 we registered a spam mailing, which supposedly led to the live stream of an Olympic event:

“Olympic live stream in Sochi hxxp://mms****.ru/olympic.apk”

If unsuspecting users click on the link, a Trojan will be downloaded to their device. We detect the Trojan in question as HEUR:Trojan-SMS.AndroidOS.FakeInst.fb.

If this Trojan successfully downloads and launches, it addresses the C&C server and transfers the data gathered on the user’s phone, including the list of contacts.

sms_spam_olymp_01s

After that the malicious program receives a command to send an SMS message.

sms_spam_olymp_02s

The message is sent to one of Russia’s largest banks and contains the text BALANS. If the user is a client of the bank and uses a mobile banking service, he will receive a message with information about his account balance.

The Trojan intercepts all the messages and sends them to the scammer’s server. As a result, the criminal ends up with information about the victim’s bank account.

The bank targeted by the attack was not chosen at random – it offers its clients the option of topping up a mobile phone account from a bank card. This service required the user to send a specific type of text message to the bank’s number.

After receiving commands, the Trojan sends a text message to the bank’s number and money is transferred from the user’s bank account to the account of the infected phone.

The money is then transferred from the phone to accounts belonging to the scammers.

The Trojan can steal up to 10 000 rubles (approximately $285) per day, while all the messages about transfers will be hidden from the user.

Social engineering has always posed a danger. Users should be especially careful during major world events. At the very least, avoid clicking links sent in messages by people you don’t know. There’s always a risk that you’ll fall into a trap and lose quite a bit of money.

To minimize the risk of being infected by mobile malware, we recommend the following:

  • Don’t turn off the vendor mode on mobile devices
  • Don’t flag the field “install the applications from unknown sources”
  • Only install apps from official channels (Google Play, Amazon Store, etc.)
  • Pay attention to the rights requested by apps during installation
  • If the set of requested permission rights does not correspond to an app’s intended functions (e.g., a game requests permission to send SMS messages), do not install the app
  • Use security software

Mobile Scammers Target Sports Fans

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox